Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
19-05-2024 13:56
General
-
Target
cff9cd0b86c004879f6b7531427adc70_NeikiAnalytics.dll
-
Size
120KB
-
MD5
cff9cd0b86c004879f6b7531427adc70
-
SHA1
ffe712f93b238b4338c5e2c907880cedd87f49bc
-
SHA256
48999ea27b785e20a46131a9949bcb8ec2cc0ba3121b46b0662f7d8cae2519fb
-
SHA512
deba332350e593de1c28ae87a46af226c5a1eb6a40cbbe02875eca1a5279400cc75e3658cde6ceff842434fd914586b25c3d5b20889d20f7d1ef5573a08ece88
-
SSDEEP
3072:rX03NLm4wulNaEl0F7p78LXG2mi9Jx88bWdI9fdMW:jYNH70FpgLXG251CdIBX
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
-
Sality
Sality is backdoor written in C++, first discovered in 2003.
-
UAC bypass 3 TTPs 2 IoCs
-
Windows security bypass 2 TTPs 12 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 6 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Windows security modification 2 TTPs 14 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Enumerates connected drives 3 TTPs 17 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 41 IoCs
-
Suspicious use of WriteProcessMemory 36 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cff9cd0b86c004879f6b7531427adc70_NeikiAnalytics.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cff9cd0b86c004879f6b7531427adc70_NeikiAnalytics.dll,#13⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f7608b8.exeC:\Users\Admin\AppData\Local\Temp\f7608b8.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\AppData\Local\Temp\f760a2e.exeC:\Users\Admin\AppData\Local\Temp\f760a2e.exe4⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\f762452.exeC:\Users\Admin\AppData\Local\Temp\f762452.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\f7608b8.exeFilesize
97KB
MD564c2034b064c8c2a30d651ff5a11c8c4
SHA1d888296820f8120c0d83a32862e7810aafc156f5
SHA25623c94a11423a03c04844f283c908e6b7c0ba5e9faeeb3a584ef08ead67d53eb5
SHA512a44fa3fcbb444cb6d1cba333e51b09d16ccd7bc37d928b231a1abfe5245a5b732ae002690b3c45b857e1466343a6545845a797181fccb666ec7b663934848b9e
-
C:\Windows\SYSTEM.INIFilesize
257B
MD51b79ca45a3b7ad2734e0e9c00364d732
SHA1b81b2157ef34e12fc69536e099050ba4ca531164
SHA2568fc9216112b080bf531ded7b9d1f68f7d153a3987d7e16fab278566e2cd49ee6
SHA5128bc4d20c054023fb98e77689adba9b4eeacfd3c7b7d897e68d4493f84bedc68345f1c0d8185d00d40aba011298e88d0a08b7ff0d9b0844ca591584468d2fede6
-
memory/1268-24-0x0000000000450000-0x0000000000452000-memory.dmpFilesize
8KB
-
memory/1752-56-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1752-60-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1752-59-0x00000000002A0000-0x00000000002B2000-memory.dmpFilesize
72KB
-
memory/1752-32-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/1752-8-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/1752-78-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/1752-81-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/1752-9-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/1752-41-0x0000000000200000-0x0000000000201000-memory.dmpFilesize
4KB
-
memory/1752-1-0x0000000010000000-0x0000000010020000-memory.dmpFilesize
128KB
-
memory/1752-31-0x00000000001F0000-0x00000000001F2000-memory.dmpFilesize
8KB
-
memory/2136-63-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-64-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-23-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-16-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-15-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-21-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-43-0x00000000002A0000-0x00000000002A1000-memory.dmpFilesize
4KB
-
memory/2136-22-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-20-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-19-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-49-0x0000000000290000-0x0000000000292000-memory.dmpFilesize
8KB
-
memory/2136-62-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-17-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-58-0x0000000000290000-0x0000000000292000-memory.dmpFilesize
8KB
-
memory/2136-66-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-65-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-68-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-69-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-11-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2136-151-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2136-14-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-18-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-83-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-85-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-87-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-152-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-122-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2136-108-0x0000000000690000-0x000000000174A000-memory.dmpFilesize
16.7MB
-
memory/2688-106-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2688-98-0x00000000003E0000-0x00000000003E2000-memory.dmpFilesize
8KB
-
memory/2688-97-0x00000000003F0000-0x00000000003F1000-memory.dmpFilesize
4KB
-
memory/2688-156-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/2688-61-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3060-107-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/3060-104-0x00000000002B0000-0x00000000002B1000-memory.dmpFilesize
4KB
-
memory/3060-105-0x0000000000260000-0x0000000000262000-memory.dmpFilesize
8KB
-
memory/3060-82-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3060-166-0x0000000000970000-0x0000000001A2A000-memory.dmpFilesize
16.7MB
-
memory/3060-205-0x0000000000400000-0x0000000000412000-memory.dmpFilesize
72KB
-
memory/3060-204-0x0000000000970000-0x0000000001A2A000-memory.dmpFilesize
16.7MB